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I Abstract. We propose new quantum algorithms to solve the regulator and the principal ideal problem 

. in a real-quadratic number field. We improve the algorithms proposed by Hallgren ( [Hal02bj , ^HalOT] ) 

(N . by using two different techniques. The first improvement is the usage of a period function which is not 

^ , one-to-one on its period. We show that even in this case Shor's algorithm computes the period with 

■ constant probability. The second improvement is the usage of reduced forms (a, b, c) of discriminant A 
' with a > instead of reduced ideals of the same discriminant. These improvements reduce the number 

^ , of required qubits by at least 2 log A. 

(N 

1 Introduction 

Quantum algorithms can be used to achieve a sub-exponential or even exponential speed-up over known 
classical algorithms for some mathematical problems by using Shor's quantum framework. Shor's algorithms 
for factoring and solving the discrete logarithm problem |Sho94| have been adapted to different problems. 

■ The computation of the regulator (Regulator Problem) of a real-quadratic number field and the solution 
of the principal ideal problem (PIP) are two examples of such adaptions. Classically, these problems can 
be solved in sub-exponential time assuming the generalized Riemann hypothesis (GRH). For the quantum 
world, polynomial time algorithms were proposed by Hallgren in |Hal02bj . 

^ ■ Regulator computation and the PIP are interesting problems not only from a pure mathematical point 

I of view. In [i3W90 , Buchmann and Williams proposed a Diffie-Hellman-like cryptosystem which security is 

■ based on PIP. Thus, if we could solve the PIP, we can break the cryptosystem from [B W90j . 
The regulator computation differs from all the other settings where Shor's algorithm can be applied. It 

operates on a structure (the infrastructure of principal reduced ideals) which is not a group, since it lacks 
I the associativity. However, Hallgren showed that Shor's algorithm can still be used in this case. 

RP and PIP require the computation of natural logarithms. Thus, one problem which arises during these 
I computations is the choice of the right approximation of natural logarithms. There is no known way to 

choose the approximation a priori for a given number field. Thus, the functions proposed in [Hal02b| cannot 
be computed in polynomial time. This problem was solved by Schmidt and Vollmer in |SV05| by using non- 
canonical number theoretic constructions, and by Hallgren himself in [Hal07| . by defining functions which 
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I are periodic only on a subset of the possible function values. In our paper we show that this problem can also 

be solved by using functions which are always periodic but are many-to-one on their fundamental period. We 
show that Shor's framework computes the right period even in such a case with constant success probability. 
We obtain a Monte Carlo type algorithm which does not depend on GRH. 

The problem to compute the period of a function which is not one-to-one was first addressed by Boneh 
and Lipton in [BL95j . The authors presented algorithms for functions in Z which have integer periods. In 
[ME99j . Mosca and Eckert generalized this result for finitely generated Abelian groups for some restricted 
class of functions. In |HHOO| and |Hal02aj . these restrictions were eliminated by Hales and Hallgren. In our 
paper, we solve this problem for certain many-to-one functions whose periods are irrational. 

There are two equivalent languages which can be used to describe elements of and problems in quadratic 
number fields. The first is the language of ideals, which is usually used for formal definitions of the underlying 
concepts and elements of a number field. The second is the language of quadratic forms, which is used to 
describe algorithms and carry out computations. In this paper, we will use both languages in exactly such a 
way. 

Our contribution in this paper is the following. We present more efficient versions of algorithms for 
computing the regulator and solving the PIP. Since the PIP problem is a basis for a cryptosystem, it gives 



us a better tool to compare this cryptosystem to others in their resistance against quantum attacks. Thus, 
we can make a better choice which cryptosystem should be used if we assume that quantum computers 
of a certain size can be build ( (Sch06j . [Sch07j ). The second contribution are examples for problems which 
solution can be improved by using functions which are not one-to-one on their fundamental periods. In this 
paper, we do not do a full analysis of the number of qubits for the presented algorithms. Instead, we only 
reduce the complexity of certain parts of the known algorithms. A first complete analysis of the algorithms 
was presented in [Sch07| . We will improve this analysis by using more efficient algorithms in a subsequent 
paper. 

Our paper is organized as follows. In the next section, we give a short overview of the quantum framework. 
In section 3, we present the necessary background from number theory. In section 4, we describe a quantum 
algorithm for computing the regulator of a given number field. In section 5, we present an algorithm for solving 
the principal ideal problem. We summarize our results and describe open problems in the last section. 

2 Quantum Computing Background 

Many polynomial time quantum algorithms that solve problems for which only sub-exponential or even 
exponential classical algorithms are known use the (inverse) quantum Fourier transform (QFT) as a sub- 
routine. The problems in this class can be reduced to the problem of finding a basis for a period lattice A 
of an appropriate functiorQ. For example, Shor's factoring algorithms computes the factors of an integer n 
by determining the period of the function f{x) = mod n, with 1 < a < n. The period of / is the order 
of a in the finite abelian group (Z/nZ)*, and the corresponding lattice is order(a)Z. The objective of the 
quantum subroutine is to find an approximation of a basis B for the dual lattice A* . During the classical 
post-computation step the basis B is used to compute a basis of the original lattice A. The latter task can be 
done by using a continued fraction expansion as proposed in Shor's original paper |Sho94j , by using a simul- 
taneous Diophantine approximation as proposed by Seifert in [SeiOlj . or by using techniques by Buchmann 
and Pohst ([BP89], (BK93]) as proposed by Hall gren in [Hal05| and Schmidt and VoUmer in [SV05j . 

The framework for such an algorithm is the following. The quantum computer uses two registers: one to 
store the input vector of the function and one to store the function value. The algorithm starts by creating a 
superposition of all possible states in the first register, by computing the function value to the second register, 
and by measuring the second register. By the laws of quantum mechanics, the measurement changes the state 
of the quantum computer to X],;gL 1^ + where is a random vector and i is a subset of A. Next, 

the QFT and a measurement is applied to the first register. One useful property of the set computed by the 
QFT is that it is independent of the coset k + A. Thus, QFT always creates a superposition of values which 
approximate the basis of A* independent of fc. The other useful property of the QFT is that the elements in 
the superposition are almost uniformly distributed. These two properties imply that, for a fixed dimension 
of the lattice, an approximation of the basis B is computed with a constant probability after running the 
above algorithm a constant number of times. 

In the following sections, we will define periodic functions whose period lattices can be used to compute 
the regulator and to solve the PIP resp. DL-problem. 

3 Number Theory Background 
3.1 Ideals 

Let Z\ be a positive integer which is not a square such that Z\ = 0, 1 mod 4. Then the module O a = 
Z + "^^^^ Z is a real-quadratic order. The field of fractions of the order Oa is the real-quadratic field 
/C = Q(\/^). An element a G Q{\/A) can be written as a = a + b\/A with a,b £ Q. The norm of a is 

Let X and y be two subsets of /C, then the product Xy is the additive subgroup of K, generated by 
{xy \ X E X, y E y}. An integral OA-ideal is a module a C Oa such that qOa C a. A (fractional) ideal a 
is a subset of K. such that da is a integral ideal for a d E Z. An ideal a is invertible, if there exists an ideal b 
with ab = Oa- By T, we denote the set of invertible ideals. 

^ We say that a function / : R" — > 5 has a period lattice yl C if vl is a lattice and /(x) = /(x + A) for all A G yl 



Each ideal a has the form 

a = q[a£ -\ ^ Z), 

where a, 5 e Z, g e Q, a, g > 0, is unique modulo 2a, c—{b^~ Z\)/(4a) e Z, and gcd(a, 5, c) = 1. The ideal 
is called reduced, if a > and \\/~A — 2|a|| < 5 < ^fA. By TZ we denote the set of reduced ideals. 

Two ideals a and b are equivalent if there is a G /C such that b = aa. The set of equivalence classes 
of ideals forms a finite abelian group under ideal multiplication. We denote this group by C\a We have 
Cl/i = I/V, where V = {aO^. \ with a G /C} is the set of principal ideals. 

Every ideal a is equivalent to a reduced ideal. The equivalent reduced ideal can be computed by applying 
the reduction operator p{a) = 7a, with 7 = —2c/{q{b+ V^)), at most log2(a/v^) + 2 times. 

By theorem of Dirichlet, every unit of Oa can be written as ie*^ with an integer k and a fundamental unit 
e. It is easy to see that the norm of every unit is equal to plus or minus oneH In general, the number of bits 
which are necessary to represent a unit is exponential (in logZ\). Thus, instead of computing a fundamental 
unit e we compute the regulator defined as i? = In |e|. If we confine ourself to units with norm plus one, then 
there is a fundamental unit e' of norm one such that every unit of norm one has the form ±(e')'^. In this 
case, i?+ = In |e'| is called the regulator in the narrow sense. Note that in a number field either R ~ _R+ or 
R = _R+/2. In our computations we will only consider the narrow case. 

Principal ideals can be ordered on a circle of circumference R by using the distance function S : V 
M-fRZ : uOa ^ Loga with Loga = ^ln|(j(a)/a| mod R. Note that the unit ideal has distance zero. 
The distance between two ideals a and b is defined by (5(a, b) = (5(a) — ^(b) mod It has two important 
properties: < 5{a, p{a)) < Iny^ and S{a, p{p{a))) > ln2 for all reduced ideals a. There is a minimal 

positive integer k such that the sequence {Oa, p{Oa), ■ ■ ■ , p''{Oa) — Oa) contains all principal reduced 
ideals. Thus, by applying p we can "walk" through all these ideals. The product of all 7's which occur during 
the computation of p is a fundamental unit. 

For an a; S K and a principal ideal a = aOA, we define S{a,x) — x — Loga mod R. Let a E V he such 
that 6{a, x) <0 and S{p{a),x) > 0, then we say that the ideal is left of or at x and denote it by a_(a;). The 
computation of ci_(x) requires the computation of natural logarithms. We cannot do this exactly. Moreover, 
to the best of our knowledge, the computation Log a to any a priori fixed precision does not allow to correctly 
make the decision for some x's whether S{a,x) < or 6{a,x) > 0. If, however, we successively increase the 
precision to break a tie, we might spend an amount of time on this siiigle computation that exceeds any 
a priori given polynomial bound for the run-time of the total algorithmic Therefore, in our algorithms, we 
only approximate natural logarithms. For an x £ Q, this approach produces some ci-{x) which is left of 
or at X according to these approximative logarithm computations. We take into account that for some x's 
a-{x) ^ a_(a;). 

In the rest of the section, we consider quadratic forms, show their correspondence to ideals, and describe 
the advantage to use them in our algorithms. 

3.2 Quadratic Forms 

An integer indefinite quadratic form of discriminant zi is a polynomial aX^ + bXY + cY^, where a, 6, c € Z, 
gcd(a, b, c) — 1, and A — — Aac > 0. If Z\ is not a square, then the form is irreducible. The form is reduced 
if \VA — 2\a\\ < b < ^/A. It is easy to see that if (a, b, c) is reduced, then ac < 0. 

There is a well known bijection (see [BVQ7| . Theorem 4.4.4) between invertible ideals and I^-OrbitfQ of 
irreducible indefinite forms with positive a. This bijection maps distances of ideals to distances of forms. 
Similarly to the ideal case, we can "walk" on the principal circle by applying the p-operator to the form / = 
(a,6,c) which is p{f) = (c,B, A) such that B = -b mod 2c, |yZ-2|c|| < B < VA and A = (S^ - Z\)/(4c). 
The difference to the ideal case is that here, the sign of the first coefficient alternates whereas in the ideal case 
it is always positive. In our computations, we use this fact and look at reduced principal forms (a, b, c) left of 

^ Note that there is well know connection between fundamental units and solutions of the famous Pell equation (see 

[JW09] for more information about it). 
^ This is exactly the point where there remains a gap in Hallgrens proof of polynomial run-time of his algorithm for 

the quadratic case. 

" A r-Orbit of a form (a, 6, c) is the set {{a,B,C) \ b = B mod 2a and C = {B^ - A) /4a}. 



or at X with the additional condition that a > 0. We denote the set of reduced principal forms with positive a 
by TZ^ . The advantage in using forms from TZ^ over all reduced forms is the following. As mentioned above, 
the distance between an ideal a and p'^(a) is at least In 2. This implies that the distance between two forms 
from TV^ is at least In 2, too. In contrast, the distance between forms in the set of all principal reduced forms 
is at least Thus, by using TV^ , we have the property that the minimum distance between two forms 

is independent of A. 

In our algorithms, we have to compute forms left of or at x with x > A. Since 5{a, p{a)) < \ogVA, 
the time complexity of this computation is exponential in logZ\. To "jump" over larger distances, we use 
giant steps which consist of form composition and reduction. Let / = (a,5, c) be the composition of two 
forms (resp. ideals) /i = (ai,6i,ci) and /2 = (a2,fe2,C2)- Form / has coefficients a = aia2/m, b = {ja2bi + 
kaib2 + l{bib2 + A)/2)/m mod 2a, where ja2 + kai + l{bi + b2)/2 = m = gcd(ai,a2, (&i + ^^2)/2), and 
c = {b^ — A)/{Aa). Form / is in general not reduced, so by applying p at most logv^+ 2 times we obtain 
a reduced form which is equivalent to the composition of /i and /2. Let k be the number of p- applications. 
For the distances, we have the following equation: 

5{h * h) = 5{p\f)) = 5{h) + 5{f2) + 5', (1) 

where 5' — 5{f,p^{f)) is small (at most ±lnz4). An ideal composition followed by a reduction imply a 
structure which is almost a group (since, in general, 5' ^ Q it is not exactly a group), we call it the 
infrastructure (see [Len82| . [BV07| . or [JW09 for more details). 

In our algorithm we compute the form g^/A left of or at a; G (1/4)Z using an approximate logarithm 
computation. This can be done as follows. Let g be the unit form. Wc first compute the form h — p{p[g)). 
We know that 5{g, h) > In 2. Thus, we can use a square-and-multiply method to compute the form gx/4- We 
need to estimate the number of operations (squares, multiplications, reduction) to determine a necessary 
logarithm precision. Since in our algorithms x < A^, the number of squares and multiplication is at most 
2(21og2Z\ + 2). Each square and multiplication is followed by \og^/A + 2 reductions. Therefore, the total 
number of operations is at most (clogj A), where c < 10 is a constant. If we choose the precision of each 
logarithm computation to be at least l/(8clogz4), then, by ([T]), we obtain \S{gx/4) — S{gxf4)\ < 1/8, where S is 
the approximation of d computed by the above algorithm. This approximation is required in the subsequent 
sections. The computation of gx/4 can be done in time polynomial in log A, since all the computations 
(square, multilication, reduction, and logarithm evaluations with the necessary precision) can be done in 
polynomial time. 

4 Computing the Regulator 

In this section we solve the regulator problem which is defined as follows. 

Definition 1 (Regulator Problem). Given A, find an integer R' with \R' — < 1 where i?+ is the 
regulator of(J(\/A). 

We first give the definition of the periodic function for computing the regulator. 

Definition 2. Fix an algorithm In for computing an approximation of the natural algorithm. The function 

Reg : Z ^ 7^+ : a; i — > g^/4 

maps an integer x to the principal reduced form gx/4 = (aii*, c), a > 0, such that, with respect to In, gx/4 is 
left of or at x/4. The precision of In must he chosen such that, for all x, \5{gx/4) — S{gx/4)\ < 1/8, where S 
is the approximation of S which uses In instead of In. 

In the next two lemmas, we will show that Reg is periodic. In Lemma [51 we will show that for every 
g e TZ'^ there are areas of successive integers in every period of Reg which are all mapped to g, that the 
number of integers in these areas is at most lnZ\ + 3, and that this number differs by at most 4 in different 
periods. In Lemma [U we will show that the areas are non-empty and the first element occurs with a period 



Lemma 1. For every g G 7?.^, there is a y = 4(5(.g) + 1/2 such that 

Vfc e Z.3e e M, |e| < = y + AkR+ + e e Z, Rcg(x) = g, anrf Reg(x - 1) = p"^(,g)). 

Proo/. Let .9 e 7^+, ?/ = 4^(g) + l/2, fc e Z, and x e Z, such that a;/4 = 5{g) + kR+ + 5 with -1/8 < ^ < 1/8 
From hi2 < 5{p^{g)) — (5(g), we obtain 6{p'^{g)) — (5(g) > ln2 — 1/4 > 1/4. That means that for every g 

there is at least one x in each period with Reg(a;) = g and the period lattice of Reg has no gaps. 

Now assume —1/8 < ^ < 0. In this case we have x/A < 5{g) + kR^ < x/4+1/8 and therefore x/4 — 1/8 < 

S{g) + kR+ < {x + l)/4. This implies that Reg(a; - 1) = P^^ig), Reg{x + 1) = g, and Reg(a;) e {p-^{g),g}. 

If Reg(x) = p~^{g), then \x - y - 4kR+\ < 1/2. If Reg (a;) p-^{g), then \{x + 1) - y - 4kR+\ < 1. Thus in 

both cases the e, as defined in the lemma, exists. 

The case < (5 < 1/8 is analogous. □ 

Lemma 2. Let A be a discriminant of a real- quadratic number whose regulator R^ is greater than 51nZ\. 
Let g e 7?.^, y — 4(5(.g) + 1/2, k E Z, and €(g^k) G be defined as in the last lemma. Then there exists an 
™(3,fc) S 1 5: '^(g,k) < In + 3, such that the following is true: 

1. Reg(y + AkR+ + e(^g^k) + m^y,k) + 1) = P^ig)- 

2. Reg(?/ + 4fci?+ + e(g^fc) + m) = g, for all m El,, < m < mi^g^k) 

3. maxfe,fc/gz|m(g^fc) - rrn^g^k')\ < 4- 

Proof. We first prove the existence of m^j, j.) e Z, < mi^y ^-^ < lnZi + 3 such that (1) is satisfied. This follows 
from 

S{p^{g)) — 5{g) < lnZ\ and the assumption that _R+ > 51nZ\, which implies Reg(y + AkR^ + ^(y^k)) 7^ 
Reg(j/ + 4fci?+ + e(y^fc) + rinZ\l + 2). 

(2) and (3) follow easily from the fact that we look for ideals left of or at a multiple of 1/4 and the 
approximation quality of function Reg is at least 1/8. □ 

Now we present our algorithms. We first start with the quantum subroutine. 



Algorithm 1 Regulator-Dual 



Input: Discriminant Z\, q which is a power of two and q/2 < 5A(lnA)^ < q. 
Output: Approximation of a number from (g/i?"'")Z. 

1. (initial state) |0),|(l,Zi mod 2)). 

2. (create superposition) — > X^^Zq 1-^)' K-'^' ^ mod 2)). 

3. (compute Reg) — > Y^lZl \x) , \ Reg{x)) . 

4. (measure the second register) 

^ — Y, l3^'+4i?+fc + m + e(,,,fc)),|Reg(a;')) 

^ keM m=0 

with a random x' £ {0,..., [4i?"^J}, and m^^t ^i^^ as defined in lemma [2] M = M^' = {fc G Z j < 

x' + AR'^k + e(a;',fe) < <? } and p = card {x £ Q < x < q and Reg(a;) — Reg(a;') }. 

5. (apply quantum Fourier transform to the first register) 

Yml^ 2^ 2^ exp(2^z ^ ly\\y),\Reg{x)). 

j, = k&M m=0 ^ y / 

6. Measure and return the first register y. 



Theorem 1. Let A be a discriminant of a real- quadratic number field whose regulator is at least 321nZ\. 
The algorithm Regulator-Dual computes an approximation of a random element from {q/R'^)'L. The 



approximation has the form {q/R'^)z + uj where z G and \uj\ < 1/2. The algorithm succeeds with probability 
at least 2~^^ and requires at most 2 log(Z\) + 2 log In Z\ + + 7 qubits, where N is the number of temporary 
qubits which are necessary to execute operations on forms to compute Reglf] 

Proof We use the Scime notation as in the theorem and algorithm. Let ?7imax — ^^^fcGA^^/ '^{x',k)i '^min — 
miuk^M^, and 



y^{yeZ\0<y< 
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and — 



Aq 4i?+ 



' ojy with z G Z and |cijj,| < — }. (2) 



The probabihty to measure a y € 3^ is 



Apq 



Esr^ / AR+k + m + e^x'.k) 
exp 2Tn — '——^y 



keM m=0 



Pviy e y) = 

Since we have 

{4R+k + m + e{x\k))y 

4^ -'i'v^t V4^+ . -y, . 4^ 

modulo 1 and since the function exp is periodic, we can write 



4fci?+(- 



4q 



y = AR^kujy 



(m + e(a:',k))y 



Pr(y ey) = ^ 
ipq 



^ exp I 2'Ki{4R+kLU. 



keM m=0 



im + e(x'.k))y 
Aq 



(3) 



By LemmamU and Equation ©, we follow \AR+kujy\ < 1/8 and -1/16 < (m + e(a;',fc))y/(4g) < 1/16. This 
means that ([3]) is a sum of p vectors of length one which all lie in a segment of size tt/2. Thus, the probability 
that we measure a certain y € y is 



Pr(y ey)> 



Apq 



V2 



Next we approximate the lower bound for p and the cardinality of y. We have 



p > (card>l^' - l)(m„i„ + 1) + 1 > 

R 



card 3^ > {z < z < 



\AR 4 



{rrimin + !) + !> -z-f^{mrm„ + 1) 
oil 



R 



3 

- > 



R 



+ 1) 2q A{mjnax + 1) 2 S{mmax + 1) 

The condition i?+ > 321nZ\ ensures that the set y contains at least three different elements. Thus, we have 

+ 1 1 



y Pr(y e 3^) > f-card3'> 



v<^y 



29 ( 



1) - 211' 



The number of qubits can be determined as follows. The first register requires at most log Z\ + 2 log(ln Z\) + 5 
qubits to keep q < 10Z\(lnZ\)^. For the second register, logZ\ + 2 qubits are necessary to keep the coefficients 
a and b of the form (a,5, c). Since A is fixed, it is not necessary to store c. Since (a, 6, c) G 7?.+ is reduced, 
we have < a, 6 < VA. □ 

On the next page, we present the complete algorithm for computing the regulator based on the quantum 
subroutine described above. We have the following theorem. 

Lemma 3. Let q > (i?^)^ and yi, Zi be defined as in REGULATOR, then we have \yi/y2 — zi/z2\ < l/(2z|). 



In [Sch07| . it it shown that < 10.5 log A + C>(log^(log A)) 



Algorithm 2 Regulator 



Input: A discriminant Zi of a real-quadratic field fC. 
Output: The regulator of K,. 

1. Test classically whether < 321nz4. If the answer is yes, compute classically the required approximation of 
i?+ and go to 4. 

2. Use Regulator-Dual to compute j/i = {q/R^)zi + lji and y2 = {q/R^)z2 + lo2, \loi\,\uj2\ < 1/2, which 
approximate random vectors in {q/R^)Z. 

3. W.l.o.g. assume j/i < y2- Use the continued fraction expansion algorithm applied to j/1/1/2 to compute zi and Z2. 
The number qzi/yi is an approximation of the regulator which can be improved classically. 

4. Return the approximation . 



Proof. We have the following inequality 
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qzi - 


VR+uoi 


Zl 


y2 


Z2 


qz2 - 


VR+U02 


Z2 



< 



R+ 



Zl + Z2 



Z2{qZ2 + 



< 



qz2 



R+ ^ J_ 

-R+/2 - 2zl' 



The last inequality is true because of the choice of q > (i?^)^ and y E y with y from 12]). 



□ 



Theorem 2. Regulator computes an approximation of the regulator R^ of a real- quadratic number field 
Q(-\/A) in quantum-polynomial time 0(polylog(logZ\)). R is a Monte Carlo type algorithm which succeeds 
with probability at least 2^^^. The algorithm requires at most 2 log(Z\) -|- 2 log In Z\ -|- iV -|- 7 qubits, where N 
is the number of temporary qubits which are necessary to execute operations on forms to compute Reg. 

Proof. We use the same notation as in the theorem and the algorithm. 

First, assume R~^ < 321nzi. In this case, the regulator can be computed completely classically by using 
the polynomial time algorithm from [BB94] . 

Next, assume i?+ > 321nZ\. In this case the cardinality of y from ^ is at least 3. Thus, by running 
Regulator-Dual twice we obtain two different non-zero yi, 2/2 G 3^ with probability at least (l/8)2~^^2~^^ — 
2-25. Since \C\a\R+ < y/A{lny/A + l)/2 (see |Hua82] '). we have (4i?+)2 < A(lny/A+1)^ < q. Therefore 
Lemma [3] holds and we can apply the continued fraction expansion algorithm to yi and y2 to compute zi 
and Z2 (assuming gcd(zi,Z2) = 1 which is true with probability at least 6/7r^). The number qzi/yi is an 
approximation of the regulator which can be improved classically ( |BB94] |MauOO| ) . The success probability 
of the algorithm is at least {6/'!t'^)2-^^ > 2^26 

The number of qubits follows directly from Theorem [T] □ 



5 Solving the Principal Ideal Problem 

In this section, we present an algorithm for solving the principal ideal problem and the discrete logarithm 
problem in the infrastructure of a real-quadratic number field. 

Definition 3 (Principal ideal problem). Given a reduced form g, decide whether g is principle and, if 
so, find S{g). 

To solve the PIP, we extend the function Reg to the following one. 

Definition 4. Let g be a reduced principal form. Fix an algorithm In for computing an approximation of the 
natural algorithm. All the distance operations S below are carried out with this In. The function 

PIP: ZxZ^7^+ : ix,y) ^ g^.,^y^ 

maps two integers x and y to a reduced principal form g(x.y) — (^j c), a > 0, left of or at 5{g'^) -\- y/4. The 
precision of ha must be chosen such that \S{g(^x,y)) ~ S{9{x,y))\ < 1/8- for all x and y. 

The next lemma is an extension of Lemmas [1] and [21 



Lemma 4. Let n be the smallest positive integer such that ^ Oa- Let S = dist(C'/i, fa") and A be 
the lattice generated by ((n, — S')*, (0, i?"*")*)]^ Then for all {xi,X2),{x[,X2) G 1?, there exist an e(x.x'^), 
|£(x,z;^)l < Ij and 1 < TO(x,2:^) < In Z\ + 3 such that —AxiS + 4:X2R'^ + m + e(x.x^) €E Z and 

PlP{x[ + xin,X2 - xiS + Ax2R^ +m + e(^y^)) = PlVix^.x'^) 

iff {xi, X2) G A and < m < m(x,x;,)- As in Lemma\^ we have rnaXy^^A\'m{y^^x',)\ < 4. □ 
Lattice A is the period lattice of PIP. Let A* be the lattice dual to A. It is easy to see that 

( l/n \ 

\s/{AnR+) l/(4i?+) ) 

is a basis of A* . 



Algorithm 3 AlgPIP-Dual 



Input: Discriminant A, integer q such that 2q < A{\nA)^ < 4g. 
Output: An approximation of a vector from 8qA* 

1. (initial state) |0)!0)j(l,Zi mod 2)). 

2. (create superposition) — > | I]'7=o 5I!'2=o '^'^^ 1^'^) K^' ^"'^ 2))- 

3. (compute PIP) 

4. (measure the third register) 

^ I] I] I] ix'i +2:in)|x2 -xiS + 4a;2ii+ +m + e(^,,/))|PIP(x')), 

with random xi £ {0, . . . ,n — 1} x {0, . . . , [4_R"'"J}, mjx^a;^) and e(x,a;^) as defined in Lemma|4l M — M^-^^^^i = 

i2ey 



{ a;2 G Z I < 4 - + 4a;2i?+ + £(.,4) < q }, and p = EiilT'"''^"^ E.,eAi("^(x.4) + !)• 



5. (apply QFT to the first two registers 

8„-7^ E E EE exp(2«^l^^yi)|yi)x 



xexp( bflly, ) |y,)|pip(x')). 



6. Measure and return the first two registers (yi, j/2) 



Theorem 3. T/ie set of approximations for vectors from 8qA* is 

z z S 1 

y = { iyi,y2) e I < yi < 8(7 and — = h +wi mt/i zi,Z2 e Z and |wi| < -— 

80 n 4ri/t+ log 

2 22 1 (4) 

< 2/2 < -7: and = + UJ2 with \uj2\ < — }. 

m-max + 2 8q 4i?+ 16g 

AlgPIP-Dual computes vectors {yi,y2) & y in quantum polynomial time with probability at least 2^^^ 
and requires at most 31og(Z\) + 4 log In Z\ + N qubits, where N is the number of temporary qubits which are 
necessary to execute operations on forms to compute Regl3 



^ By X*, we denote the transpose of the vector x 
In [Sch07| . it it shown that N < 10.5 log A + 0(log2(log A)) 



Proof. The probability to measure a y G 3^ is 

L(g-a:i-l)/nJ 



Pr(y e y) 



1 



xi—0 X2GAi m—0 



(5) 



We have 



^1""!^ + {-xiS + 4x2R'^ +771 + e(x,j.^))|^ 



Xin 



tJ2 



xinwi + {-XiS + 4x2i?+)t^2 + (m + e^^^x'^))— (mod 1), 

where jwij, 1^2! l£ 1/(16'?) and < 2/2 < 9/ {fnmax + 2). Hence, the sum in ([51) is a sum of p vectors of length 
one which all lie in a segment of size 7r/2. This implies Pr(y £ y) — \pV2/2\^ / {dAq^p) > p/{128q^). 
Next, we estimate the lower bound for p and card 3^. We have 



p^{[{q~xi~ l)/n\ +1) J2 Kx,xi) + 1) > 

x2eM 



1) and 



card3^= card{ (zi, Z2) G | < — + ^ 

n nR+ 



uji < 1 and 



4i?+ 



> card{ (zi, Z2) £ I? \ — < zi < 



Z2 1 
< TTT- + W2 < — 



— , with |W1|,|W2| < -T-} 
mmax +2) 16g 



16g 



16g- 1 
16g 



and 1 < Z2 < 



2(to„ 



-1} 



> 



{^Tlmax + 2) 

From the above results, it follows 



q q 



2) n 8R+ 



1 1 
128g2 - 2} 



The number of qubits can be determined as follows. Each of the first two registers requires at most 
logZ\ + 21og(lnzi) qubits to keep q < (l/2)Z\(lnZ\)^. As in algorithm Regulator-Dual, the third register 
requires logZ\ + 2 qubits. □ 



Algorithm 4 AlgPIP 

Input: Reduced form g of discriminant A, regulator R^. 
Output: "fail", "not principal", or 5{g), if g is principal 

1. If < 641nZi, classically compute and return the solution. 

2. Use SampleDual-RQ to compute (2/1,3/2) and (yS.,j/2) 

3. Set Z2 = [y2R^ /{2q)] and z'2 = [y'2R'^ / {2q)'] and compute fci,fe2 G Z such that kiZ2 + ^2^2 = gcd(2;2,Z2)- 

4. If gcd(z2, Z2) = 1, then set p — yik\ + 2/1 fc2 mod 85 and S' = pR^ /8q. In this case 5* is an approximation for S. 
If gcd(z2,Z2) > 1) return "fail". 

5. Test whether S' is an approximation for 5*. If not, return "not principal". 

6. Return the approximation 5" (improve it classically, if necessary). 



Theorem 4. AlgPIP solves the principal ideal problem in a real- quadratic number field Q(-\/3) for every 
reduced form g in quantum-polynomial time 0(polylog(log Z\)). It is a Monte Carlo type algorithm with 
success probability at least 2^^^. The algorithm requires at most 3 log(Z\) + 2 login Z\ + A'^ qubits, where N is 
the number of temporary qubits which are necessary to execute operations on forms to compute Reg. 

Proof. We use the same notation as in the theorem and the algorithms. 

First, we test classically whether i?+ < 64 In Z\ and, if so, the problem can be solved in classical polynomial 
time using algorithms from jBB94j or [MauOO| . 

Now, we assume that i?+ > 641nZ\. With probability at least 2^^2^^^, the quantum subroutine AlgPIP-Dual 
returns two different vectors (2/1,2/2), (2/'i:y2) € 3^\{0,0}. By dH) 



y2_ 
8q 



Z2 

4R+ 



' ' - 16q' 



which implies 



- 4R+LU2 = 



y2R^ 



y2R+ 

2q 



1 

< -. 

- 4 



2q 2q 

= ly'2R'^ / {2q)~\ . Using an extended GCD algorithm, we compute fci,fc2 € Z such that 
kiZ2 + ^2^2 = gcd(z2, 2:2). We assume gcd(z2, z'2) = 1 which is true with probability at least 
Next, assume g is a principal form. In this case n — 1. Using ([¥]), we can write 



Analogically, 



yih + y'ik2 



S 

kizi+ k2z[ + — +UJ, \uj\ < 



ki 



16q 



< 



1 



From fcizi + k2z[ E Z and < S/R'^ < 1, it follows that 5" = pi?+/(8(/), p = yiki + 2/^.^2 mod 8g, is an 
approximation of S. Now, we test classically whether this is true and, if so, we improve the approximation 
classically with algorithms from |MauOO| . If S' is not an approximation for S*, then our assumption is wrong 
and g is not a principal form. 

Finally, we estimate the success probability of AlgPIP which is the probability to measure two different 
non-zero vectors from y such that gc<l{z2,g'2) — 1- This probability is at least 2~^^6/7r^ > 2~^^ . 

The number of qubits follows directly from Theorem [S] □ 



Notice, if the output of AlgPIP is "not principal", then we cannot decide whether it is correct or not. 
However, this case can be solved by applying more advanced techniques from |BP89| and |BK93j for finding 
a basis of a lattice given approximations for vectors from the dual lattice. 

However, if the output of AlgPIP is a distance (5, we can easily test classically whether this distance is 
correct. This case is sufficient to break the cryptosystem proposed in |B W90] . since in this cryptosystem, g 
is always principal by construction. 



6 Conclusion 

In this paper, we presented polynomial-time quantum algorithms for solving the regulator and the principal 
ideal problem in real-quadratic number fields by using functions which are many-to-one on a period. These 
algorithms reduce the number of qubits by at least 2 log A compared to Hallgren's algorithms. This is due 
to the facts that the period of the lattice is smaller (8i? vs. [v^]i?), the necessary precision for natural 
algorithms is smaller (1/8 vs. and the function value of Reg and PIP is a form and not a pair of a 

form and a distance. 

An open problem is whether this method can be used for computing the class group of a real-quadratic 
number field and for improving the algorithms for number fields of degree greater than two which are 
presented in |Hal05j and [SV05j . 
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